000014680 - How are keys stored in disk and memory cache?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014680
Applies ToRSA Key Manager C Clients 2.x
IssueHow are keys stored in disk and memory cache?
How is the RKM client cache encrypted?
Resolution

--------------------------------
How are keys in cache protected?
--------------------------------

DEK        = Data Encryption Key received from RKM Server
PASSWORD   = Cache password
SALT       = random bytes
ITERATIONS = randomly generated between 1000 and 2000
KEK        = PBKDF2(PASSWORD, SALT, ITERATIONS) = Key Encryption Key
KEKIV      = random bytes                       = Key Encryption Key Initialization Vector
DEKHASH    = concat(DEK, hash(DEK))             = Concatenation of DEK and its hash for integrity check
CEK        = random bytes                       = Cache Encryption Key
CEKIV      = random bytes                       = Cache Encryption Key Initialization Vector
CEKHMAC    = concat(CEK, hmac(CEK, KEK))        = Concatenation of CEK and its HMAC, for integrity check

-------------------
What's in the cache
-------------------
KM_Security_table.iteration_count = ITERATIONS
KM_Security_table.salt            = base64_encode(SALT)
KM_Security_table.kek_iv          = base64_encode(KEKIV)
KM_Security_table.cek_iv          = base64_encode(CEKIV)
KM_Security_table.cek             = base64_encode(aes_encrypt(CEKHMAC using KEK and KEKIV))
KM_Key_Table.key                  = base64_encode(aes_encrypt(DEKHASH using CEK and CEKIV))

Legacy Article IDa51552

Attachments

    Outcomes